Block subresource requests whose URLs include credentials
Categories
(Core :: Networking, task, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox54 | --- | affected |
People
(Reporter: valentin, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-want, Whiteboard: [necko-triaged][necko-priority-new])
Attachments
(1 obsolete file)
A bit of background: https://github.com/whatwg/fetch/pull/465 This should likely be implemented behind a pref, in case we regress major use cases, such as corporate network, etc.
Reporter | ||
Comment 1•7 years ago
|
||
Hi Patrick, what are your thoughts on this?
Comment 2•7 years ago
|
||
not sure why we would unilaterally do this. is there a reason to do it without coordination?
Comment 3•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Comment 5•6 years ago
|
||
Please evaluate performance first, but have a look.
Reporter | ||
Updated•6 years ago
|
Reporter | ||
Comment 6•6 years ago
|
||
Reporter | ||
Comment 7•6 years ago
|
||
The attached WIP patch blocks subresource requests that include credentials (if those credentials differ from the top level load). I think we also need to handle redirects, but that shouldn't be too difficult. However, I think we should put off on landing this for now until https://github.com/whatwg/fetch/pull/465 gets merged, and we have proper WPT test coverage for it. The only browser to have implemented this is Chrome, and they are currently dealing with regressions: https://bugs.chromium.org/p/chromium/issues/detail?id=731618
Reporter | ||
Comment 9•4 years ago
|
||
There doesn't seem to be any browser consensus on doing this yet.
Updated•4 years ago
|
Comment 10•4 years ago
|
||
It seems the regression against Chrome is closed and this would remove confusing user-facing dialogs. I suspect Johann et al would appreciate it if we did this. If that's the case I'd be happy to get that Fetch PR moving again.
Comment 11•4 years ago
|
||
Sorry, I may be missing something, are we showing any dialogs for sub-resources with credentials? :)
Comment 12•4 years ago
|
||
Sorry, yes, those are indeed different things. What I was thinking of is tracked by bug 647010 I think.
The focus here is primarily reducing opportunities for dictionary attacks. And I think we agree that this would be good, but we were afraid of web compatibility. Now that Chrome has been shipping this for a number of years and the regressions haven't piled up, we should follow I think, unless I'm missing something.
Comment 13•4 years ago
|
||
FWIW I agree though I don't see this as a top priority (but I'll leave that to Necko folks).
Comment 14•1 month ago
|
||
Landed by Chrome in ?59? (2017). Flag to still use it anyways removed in 2021. We should probably follow suit.
Comment 15•21 days ago
|
||
This is duplicate of 479038.
Description
•